i o 



/i 



o 

LIMBACH & LIMBACH L.L.P. ^ 
2001 Ferry Building, San Francisco, CA 94111 
415/433-4150 

i n Address to; tSJi>* 
| 2 Box Patent Application Attorney's Docket No. NDS-4600 USA 

j Assistant Commissioner for Patents -n 

I? Washington, D.C. 20231 First Named Inventor AVIAD KIPNIS 

\ ft 

| * UTILITY PATENT APPLICATION TRANSMITTAL 

I 3 ( under 37 CFR 1.53(b) ) 



SIR: 

Transmitted herewith for filing is the patent application entitled: 
PUBLIC-KEY SIGNATURE METHODS AND SYSTEMS 

CERTIFICATION UNDER 37 CFR § 1.10 

I hereby certify that this New Application and the documents referred to as enclosed herein are being 
deposited with the United States Postal Service on this date April 19, 2000, in an envelope bearing 
"Express Mail Post Office To Addressee" Mailing Label Number EL2541 1 0035US addressed to: Box 
Patent Application, Assistant Commissioner for Patents, Washington, D.C. 20231. 



John Lyddan 



^Signature) 



(Name of person mailing paper) (Signature) 
Enclosed are; 

1 • _2<_ Transmittal Form (two copies required) 

2. The papers required for filing date under CFR § 1.53(b): 

i. 32 Pages of specification {including description, appendix, claims and abstract); 
ii- JL. Sheets of drawings. 

x formal informal 

3. Declaration or oath 

a. _x_ (unsigned) 

4. Microfiche Computer Program (Appendix, see 37 CFR 1 .96) 

5. Nucleotide and/or Amino Acid Sequence Submission (if applicable, all necessary) 

i. Computer Readable Copy 

ii. Paper Copy (identical to computer copy) 

iii. Statement verifying identity of above copies 

ACCOMPANYING APPLICATION PARTS 

6. _ An assignment of the invention to NDS Limited and Bull CP8 is attached (including Form 

PTO-1595). 

i. 37 CFR 3.73(b) Statement (when there is an assignee) 

7. _x_ Power of Attorney (unsigned) 

8. _ An Information Disclosure Statement (IDS) is enclosed, including a PTO-1449 and copies of 

references. 

9. Preliminary Amendment. 

10. _X_ Return Receipt Postcard (MPEP 503 - should be specifically itemized) 

1 1 . Other 



PATENTSXAPP-TRAN.MRG 



- 1 - 



Rev. 10/13/98 



12. FOREIGN PRIORITY 

[x] Priority of application no. 99401048.6 filed on April 29, 1 999 in Europe is claimed under 35 
USC 119. 

The certified copy of the priority application: 
is filed herewith; or 

has been filed in prior application no. _ filed on or 
x will be provided. 

English Translation Document (if applicable) 

13. FEE CALCULATION 

a. Amendment changing number of claims or deleting multiple dependencies is enclosed. 



CLAIMS AS FILED 





Number Filed 


Number Extra 


Rate 


Basic Fee 
($690) 


Total Claims 


17-20 


0 


x $18.00 


$.00 


Independent 
Claims 


3 - 3 


0 


x $78.00 


$.00 


Multiple dependent claim(s), if any 


$260.00 


$.00 



*lf less than zero, enter "0". 

Filing Fee Calculation $690.00 

50% Filing Fee Reduction (if applicable) $.00 

14. Small Entity Status 

a. A small entity statement is enclosed. 

b. A small entity statement was filed in the prior nonprovisional application and such status is 

still proper and desired. 

c. is no longer claimed. 



1 5. Other Fees 

Recording Assignment [$40.00] $.00 

Other fees 

Specify . $.00 

Total Fees Enclosed $690.00 

1 6. Payment of Fees 

x ChecMs) in the amount of $ 690.00 enclosed. 

Charge Account No. 12-1 420 in the amount of $ . 

A duplicate of this transmittal is attached . 



17. All correspondence regarding this application should be forwarded to the undersigned attorney: 

Joel G. Ackerman, Esq. 
Limbach & Limbach L.L.P. 
2001 Ferry Building 
San Francisco, CA 941 1 1 
Telephone: 41 5/433-41 50 
Facsimile: 415/433-8716 

18. Authorization to Charge Additional Fees 

X The Commissioner is hereby authorized to charge any additional fees (or credit any 

overpayment) associated with this communication and which may be required under 37 CFR § 
1 .1 6 or § 1 .1 7 to Account No. 1 2-1 420. A duplicate of this transmittal is attached . 

LIMBACH & LIMBACH L.L.P. 



April 19, 2000 
(Date) 

Attorney Docket No. NDS-4600 USA 




0oel G. Ackerman 
Registration No. 24,307 
f Attorney(s) or Agent(s) of Record 



PATENTS\APP-TRAN.MRG 



- 2 - 



Rev. 10/13/98 



Express Mail Label No. EL254110035US 
Attorney Docket No. NDS-4600 USA 



PUBLIC-KEY SIGNATURE METHODS AND SYSTEMS 

FIELD OF THE INVENTION 

The present invention generally relates to cryptography, and more 
particularly to public-key cryptography. 

BACKGROUND OF THE INVENTION 

The first public-key cryptography scheme was introduced in 1975. 
Since then, many public-keys schemes have been developed and published. Many 
public-key schemes require some arithmetic computations modulo an integer n, 
where today n is typically between 512 and 1024 bits. 

Due to the relatively large number of bits n, such public-key 
schemes are relatively slow in operation and are considered heavy consumers of 
random-access-memory (RAM) and other computing resources. These problems 
are particularly acute in applications in which the computing resources are 
limited, such as smart card applications. Thus, in order to overcome these 
problems, other families of public-key schemes which do not require many 
arithmetic computations modulo n have been developed. Among these other 
families are schemes where the public-key is given as a set of k multivariable 
polynomial equations over a finite mathematical field K which is relatively small, 
e.g., between 2 and 2 64 . 

The set of k multivariable polynomial equations can be written as 

follows: 



yi = P 1 (x l ,...,x n ) 

y2 = P2(Xi,...,X n ) 

5 

yk = Pk(xj,...,x n ), 

where Pi,..., Pk are multivariable polynomials of small total degree, typically, less 
than or equal to 8, and in many cases, exactly two. 

Examples of such schemes include the C* scheme of T. Matsumoto 

10 and H. Imai, the HFE scheme of Jacques Patarin, and the basic form of the "Oil 
and Vinegar" scheme of Jacques Patarin. 

The C* scheme is described in an article titled "Public Quadratic 
Polynomial-tuples for Efficient Signature Verification and Message-encryption" 
in Proceedings of EUROCRYPT88, Springer- Verlag, pp. 419 - 453. The HFE 

15 scheme is described in an article titled "Hidden Fields Equations (HFE) and 
Isomorphisms of Polynomials (IP): Two New Families of Asymmetric 
Algorithms" in Proceedings of EUROCRYPT96, Springer- Verlag, pp. 33 - 48. 
The basic form of the "Oil and Vinegar" scheme of Jacques Patarin is described 
in an article titled "The Oil and Vinegar Signature Scheme" presented at the 

20 Dagstuhl Workshop on Cryptography in September 1997. 

However, the C* scheme and the basic form of the "Oil and 
Vinegar" scheme have been shown to be insecure in that cryptanalysis of both the 
C* scheme and the basic form of the "Oil and Vinegar" scheme have been 
discovered and published by Aviad Kipnis and Adi Shamir in an article titled 

25 "Cryptanalysis of the Oil and Vinegar Signature Scheme" in Proceedings of 
CRYPTO'98, Springer- Verlag LNCS n°1462, pp. 257 - 266. Weaknesses in 
construction of the HFE scheme have been described in two unpublished articles 
titled "Cryptanalysis of the HFE Public Key Cryptosystem" and "Practical 
Cryptanalysis of the Hidden Fields Equations (HFE)", but at present, the HFE 
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scheme is not considered compromised since for well chosen and still reasonable 
parameters, the number of computations required to break the HFE scheme is still 
too large. 

Some aspects of related technologies are described in the following 

5 publications; 

US Patent 5,263,085 to Shamir describes a new type of digital 
signature scheme whose security is based on the difficulty of solving systems of k 
polynomial equations in m unknowns modulo a composite n; and 

US Patent 5,375,170 to Shamir describes a novel digital signature 
[0 scheme which is based on a new class of birational permutations which have 
small keys and require few arithmetic operations. 

The disclosures of all references mentioned above and throughout 
the present specification are hereby incorporated herein by reference. 



SUMMARY OF THE INVENTION 



The present invention seeks to improve security of digital signature 
cryptographic schemes in which the public-key is given as a set of k multivariable 
polynomial equations, typically, over a finite mathematical field K. Particularly, 

20 the present invention seeks to improve security of the basic form of the "Oil and 
Vinegar 7 ' and the HFE schemes. An "Oil and Vinegar" scheme which is modified 
to improve security according to the present invention is referred to herein as an 
unbalanced "Oil and Vinegar" (UOV) scheme. An HFE scheme which is 
modified to improve security according to the present invention is referred to 

25 herein as an HFEV scheme. 

In the present invention, a set SI of k polynomial functions is 
supplied as a public-key. The set SI preferably includes the functions 

Pi(xi x n+v , yi,...,y k ),--., P k (xi,...,x n+V , yi,...,y k ), where k, v, and n are integers, 

Xj,...,x n+V are n+v variables of a first type, and y b ...,yk are k variables of a second 



type. The set S 1 is preferably obtained by applying a secret key operation on a set 
S2 of k polynomial functions FiCai^.^a^yj,,..^),...^'^!^..^^^!,...^) 
where a b ..,,a n+v are n+v variables which include a set of n "oil" variables a b ...,a n , 
and a set of v "vinegar" variables a n+b ...,a n+v . It is appreciated that the secret key 
5 operation may include a secret affine transformation s on the n+v variables 
a b ...,a n+v . 

When a message to be signed is provided, a hash function may be 
applied on the message to produce a series of k values b b ..., b k . The series of k 
values b b ...,b k is preferably substituted for the variables yi,...,yk of the set S2 

jo respectively so as to produce a set S3 of k polynomial functions 
P'^Cai^an+v),..., P" k (a b ...,a n+V ). Then, v values a' n+1 ,...,a' n+v may be selected for 
the v "vinegar" variables a n+b ...,a n+v , either randomly or according to a 
predetermined selection algorithm. 

Once the v values a' n+I ,... ? a' n+v are selected, a set of equations 

15 P"i(a 1 ,...,a ns a' n+ll ...,a' n+v )=0,..., P" k (a 1 ,.. M a n ,a , n+lv ..,a'„ +v )=0 is preferably solved 
to obtain a solution for a' i,...,a' n . Then, the secret key operation may be applied to 
transform a' h ...,a' n+v to a digital signature e b ...,e n+v . 

The generated digital signature e b ...,e n+v may be verified by a 
verifier which may include, for example, a computer or a smart card. In order to 

20 verify the digital signature, the verifier preferably obtains the signature e b ...,e n+v , 
the message, the hash function and the public key. Then, the verifier may apply 
the hash function on the message to produce the series of k values b b ...,b k . Once 
the k values b b ...,b k are produced, the verifier preferably verifies the digital 
signature by verifying that the equations Pi(e b ...,e n+v ,b b ...,b k )==0,... ? P k (e b ...,e n+V , 

25 b i, . . . ,b k )=0 are satisfied. 

There is thus provided in accordance with a preferred embodiment 
of the present invention a digital signature cryptographic method including the 
steps of supplying a set S 1 of k polynomial functions as a public-key, the set S 1 
including the functions P!(x b ...,x n+V , y b ...,y k ),..., P k (x b ...,x n+V , y b ..., y k ), where k, 
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v, and n are integers, Xi,...,x n+V are n+v variables of a first type, yi,...,y k are k 
variables of a second type, and the set SI is obtained by applying a secret key 
operation on a set S2 of k polynomial functions 
P' 1 (a I ,...,a n+v ,y h ...,y k ),...,P' k (a 1; ...,a n+v ,y 1 ,...,y k ) where a l? ...,a n+v are n+v variables 

5 which include a set of n "oil" variables a 1? ...,a n , and a set of v "vinegar" variables 
a n+1 ,...,a n+v , providing a message to be signed, applying a hash function on the 
message to produce a series of k values bi,...,b k , substituting the series of k 
values bi,...,b k for the variables yi,-..,yk of the set S2 respectively to produce a 
set S3 of k polynomial functions F , 1 (a 1 ,...,a n+V ),..., P" k (ai,...,a n+V ), selecting v 

10 values a' n+h ...,a' n+v for the v "vinegar" variables a n+ i,...,a n+v , solving a set of 
equations P ,, 1 (a 1 ,...,a n ,a' n+h ,..,a , n+v )=0,... ? P" k (a 1 ,...,a n ,a 7 n+1 ,...,a ? n+v )=0 to obtain a 
solution for a' l ,...,a' n , and applying the secret key operation to transform 
a' l4 ...,a' n+ v to a digital signature ei,...,e n+v . 

Preferably, the method also includes the step of verifying the digital 

15 signature. The verifying step preferably includes the steps of obtaining the 
signature e,,...,e n+v , the message, the hash function and the public key, applying 
the hash function on the message to produce the series of k values b b ...,b k , and 
verifying that the equations P { (e ij ...,e n+v ,b h ... y b k )=Q>-^ P k (e b ,..,e n+V , bi,...,b k )=0 
are satisfied. 

20 The secret key operation preferably includes a secret affine 

transformation s on the n+v variables a b ...,a n+v . 

Preferably, the set S2 includes the set f(a) of k polynomial functions 
of the HFEV scheme. In such a case, the set S2 preferably includes an expression 
including k functions that are derived from a univariate polynomial The 
25 univariate polynomial preferably includes a univariate polynomial of degree less 
than or equal to 100,000. 

Alternatively, the set S2 includes the set S of k polynomial 
functions of the UOV scheme. 
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The supplying step may preferably include the step of selecting the 
number v of "vinegar" variables to be greater than the number n of "oil" 
variables. Preferably, v is selected such that q v is greater than 2 32 , where q is the 
number of elements of a finite field K. 
5 In accordance with a preferred embodiment of the present 

invention, the supplying step includes the step of obtaining the set SI from a 
subset S2' of k polynomial functions of the set S2, the subset S2' being 
characterized by that all coefficients of components involving any of the yi,...,y k 
variables in the k polynomial functions 

10 P , 1 (a 1 ,...,a n+v ,y l ,...,y k ),...,P' k (a i ,...,a n+v ,yi,...,y k ) are zero, and the number v of 
"vinegar" variables is greater than the number n of "oil" variables. 

Preferably, the set S2 includes the set S of k polynomial functions 
of the UOV scheme, and the number v of "vinegar" variables is selected so as to 
satisfy one of the following conditions: (a) for each characteristic p other than 2 

15 of a field K in an "Oil and Vinegar" scheme of degree 2, v satisfies the inequality 
qCv-nH* n 4 > 2 40^ (b) for p = 2 in an „ oil and vinegar » sc heme of degree 3, v is 

greater than n*(l + sqrt(3)) and lower than or equal to n 3 /6 ? and (c) for each p 
other than 2 in an "Oil and Vinegar" scheme of degree 3, v is greater than n and 
lower than or equal to n 4 . Preferably, the number v of "vinegar" variables is 

20 selected so as to satisfy the inequalities v<n 2 and q (v ~ nM * n 4 >2 40 for a 
characteristic p=2 of a field K in an "Oil and Vinegar" scheme of degree 2. 

There is also provided in accordance with a preferred embodiment 
of the present invention an improvement of an "Oil and Vinegar" signature 
method, the improvement including the step of using more "vinegar" variables 

25 than "oil" variables. Preferably, the number v of "vinegar" variables is selected so 
as to satisfy one of the following conditions: (a) for each characteristic p other 
than 2 of a field K and for a degree 2 of the "Oil and Vinegar" signature method, 
v satisfies the inequality q (v ~ n)_1 * n 4 > 2 40 , (b) for p = 2 and for a degree 3 of the 
"Oil and Vinegar" signature method, v is greater than n*(l + sqrt(3)) and lower 
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than or equal to n 3 /6, and (c) for each p other than 2 and for a degree 3 of the "Oil 
and Vinegar" signature method, v is greater than n and lower than or equal to n 4 
Preferably, the number v of "vinegar" variables is selected so as to satisfy the 
inequalities v<n 2 and q (v " nH * n 4 >2 40 for a characteristic p=2 of a field K in an 
5 "Oil and Vinegar" scheme of degree 2. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The present invention will be understood and appreciated more 
10 fully from the following detailed description, taken in conjunction with the 
drawings in which: 

Fig. 1 is a simplified block diagram illustration of a preferred 
implementation of a system for generating and verifying a digital signature to a 
message, the system being constructed and operative in accordance with a 
15 preferred embodiment of the present invention; 

Fig. 2A is a simplified flow chart illustration of a preferred digital 
signature cryptographic method for generating a digital signature to a message, 
the method being operative in accordance with a preferred embodiment of the 
present invention; and 
20 Fig. 2B is a simplified flow chart illustration of a preferred digital 

signature cryptographic method for verifying the digital signature of Fig. 2 A, the 
method being operative in accordance with a preferred embodiment of the present 
invention. 

Appendix I is an article by Aviad Kipnis, Jacques Patarin and Louis 
25 Goubin submitted for publication by Springer-Verlag in Proceedings of 
EUROCRYPT'99, the article describing variations of the UOV and the HFEV 
schemes. 
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DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT 



Reference is now made to Fig. 1 which is a simplified block 
diagram illustration of a preferred implementation of a system 10 for generating 
5 and verifying a digital signature to a message, the system 10 being constructed 
and operative in accordance with a preferred embodiment of the present 
invention. 

Preferably, the system 10 includes a computer 15, such as a general 
purpose computer, which communicates with a smart card 20 via a smart card 

10 reader 25. The computer 15 may preferably include a digital signature generator 
30 and a digital signature verifier 35 which may communicate data via a 
communication bus 40. The smart card 20 may preferably include a digital 
signature generator 45 and a digital signature verifier 50 which may communicate 
data via a communication bus 55. 

15 It is appreciated that in typical public-key signature scheme 

applications, a signer of a message and a receptor of a signed message agree on a 
public-key which is published, and on a hash function to be used. In a case that 
the hash function is compromised, the signer and the receptor may agree to 
change the hash function. It is appreciated that a generator of the public-key need 

20 not be the signer or the receptor. 

Preferably, the digital signature verifier 35 may verify a signature 
generated by one of the digital signature generator 30 and the digital signature 
generator 45. Similarly, the digital signature verifier 50 may verify a signature 
generated by one of the digital signature generator 30 and the digital signature 

25 generator 45. 

Reference is now made to Fig. 2A which is a simplified flow chart 
illustration of a preferred digital signature cryptographic method for generating a 
digital signature to a message in a first processor (not shown), and to Fig. 2B 
which is a simplified flow chart illustration of a preferred digital signature 
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cryptographic method for verifying the digital signature of Fig. 2A in a second 
processor (not shown), the methods of Figs. 2A and 2B being operative in 
accordance with a preferred embodiment of the present invention. 

It is appreciated that the methods of Figs. 2 A and 2B may be 
5 implemented in hardware, in software or in a combination of hardware and 
software. Furthermore, the first processor and the second processor may be 
identical. Alternatively, the method may be implemented by the system 10 of Fig. 
1 in which the first processor may be comprised, for example, in the computer 15, 
and the second processor may be comprised in the smart card 20, or vice versa. 

10 The methods of Fig. 2 A and 2B, and applications of the methods of 

Figs. 2A and 2B are described in Appendix I which is incorporated herein. The 
applications of the methods of Figs. 2 A and 2B may be employed to modify the 
basic form of the "Oil and Vinegar" scheme and the HFE scheme thereby to 
produce the UOV and the HFEV respectively. 

15 Appendix I includes an unpublished article by Aviad Kipnis, 

Jacques Patarin and Louis Goubin submitted for publication by Springer-Verlag 
in Proceedings of EUROCRYPT'99 which is scheduled on 2 - 6 May 1999. The 
article included in Appendix I also describes variations of the UOV and the 
HFEV schemes with small signatures. 

20 In the digital signature cryptographic method of Fig. 2A, a set SI of 

k polynomial functions is preferably supplied as a public-key (step 100) by a 
generator of the public-key (not shown) which may be, for example, the generator 
30 of Fig. 1, the generator 45 of Fig. 1, or an external public-key generator (not 
shown). 

25 The set SI preferably includes the functions P!(x h ...,x n+V , 

y 1; ...,y k ),.,., P k (x b ...,x n+V , yi,...,y k ), where k, v, and n are integers, Xj x n+v are 

n+v variables of a first type, and y l9 . . .,y k are k variables of a second type. The set 
SI is preferably obtained by applying a secret key operation on a set S2 of k 
polynomial functions P' i(ai,,..,a n+v ,y l9 ...,y k ),...,F k (a Iv ..,a n+v ,yi,...,yk) where 
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a J? ...,a n+v are n+v variables which include a set of n "oil" variables ai,...,a n , and a 
set of v "vinegar" variables a n+1 ,...,a n+v . It is appreciated that the secret key 
operation may include a secret affine transformation s on the n+v variables 
ai,...,a n+v . 

The terms "oil" variables and "vinegar" variables refer to "oil" 
variables and "vinegar" variables as defined in the basic form of the "Oil and 
Vinegar" scheme of Jacques Patarin which is described in the above mentioned 
article titled "The Oil and Vinegar Signature Scheme" presented at the Dagstuhl 
Workshop on Cryptography in September 1997. 

Preferably, when a message to be signed is provided (step 105), a 
signer may apply a hash function on the message to produce a series of k values 
b},...,b k (step 110). The signer may be, for example, the generator 30 or the 
generator 45 of Fig. 1. The series of k values b 1? . . .,b k is preferably substituted for 
the variables yi,...,y k of the set S2 respectively so as to produce a set S3 of k 
polynomial functions P" 1 (a i? ...,a n+V ),..., P"k(ai,...,a n+V ) (step 115). Then, v values 
a' n+ i,...,a' n+v may be randomly selected for the v "vinegar" variables a n+1 ,...,a n+v 
(step 120). Alternatively, the v values a' n+1 ,...,a' n+v may bef selected according to a 
predetermined selection algorithm. 

Once the v values a' n+ i,...,a' n+v are selected, a set of equations 
P" i (a 1 ,...,a n ,a' n+1 ,...,a , n+v )=0,..., F , k (ai,...,a ns a , n+ i,...,a' n+v )=0 is preferably solved 
to obtain a solution for a' i,~.,a , „ (step 125). Then, the secret key operation may be 
applied to transform a'i,...,a' n +v to a digital signature ej,...,e n + v (step 130). 

The generated digital signature e 1? ...,e n+v may be verified according 
to the method described with reference to Fig. 2B by a verifier of the digital 
signature (not shown) which may include, for example, the verifier 35 or the 
verifier 50 of Fig. 1 . In order to verify the digital signature, the verifier preferably 
obtains the signature e i ,...,e n+v , the message, the hash function and the public key 
(step 200). Then, the verifier may apply the hash function on the message to 
produce the series of k values bi,...,b k (step 205). Once the k values b l5 ...,b k are 
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produced, the verifier preferably verifies the digital signature by verifying that the 
equations Pj(e j9 ...,e n+v ,b b ...,b k )=0,..., P k (ei,...,e n+V5 b b ...,b k )=0 are satisfied (step 
210), 

It is appreciated that the generation and verification of the digital 
5 signature as mentioned above may be used for the UOV by allowing the set S2 to 
include the set S of k polynomial functions of the UOV scheme as described in 
Appendix L Alternatively, the generation and verification of the digital signature 
as mentioned above may be used for the HFEV by allowing the set S2 to include 
the set f(a) of k polynomial functions of the HFEV scheme as described in 
10 Appendix L 

As mentioned in Appendix I, the methods of Figs. 2A and 2B 
enable obtaining of digital signatures which are typically smaller than digital 
signatures obtained in conventional number theoretic cryptography schemes, such 
as the well known RSA scheme. 

15 In accordance with a preferred embodiment of the present 

invention, when the set S2 includes the set S of k polynomial functions of the 
UOV scheme, the set SI may be supplied with the number v of "vinegar" 
variables being selected to be greater than the number n of "oil" variables. 
Preferably, v may be also selected such that q v is greater than 2 32 , where q is the 

20 number of elements of a finite field K over which the sets SI, S2 and S3 are 
provided. 

Further preferably, the SI may be obtained from a subset S2' of k 
polynomial functions of the set S2, the subset S2' being characterized by that all 
coefficients of components involving any of the yi,...,yk variables in the k 
25 polynomial functions F 1 (a b ...,a n+v ,y 1 ,...,y Ic ),...,P , k (ai,...,a a+v> y J? ...,y k ) are zero, 
and the number v of "vinegar" variables is greater than the number n of "oil" 
variables. 

In the basic "Oil and Vinegar" scheme, the number v of "vinegar" 
variables is chosen to be equal to the number n of "oil" variables. For such a 
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selection of the v variables, Aviad Kipnis, who is one of the inventors of the 
present invention, and Adi Shamir have shown, in the above mentioned 
Proceedings of CRYPTO 98, Springer, LNCS n°1462, on pages 257 - 266, a 
cryptanalysis of the basic "Oil and Vinegar" signature scheme which renders the 
5 basic "Oil and Vinegar" scheme insecure. Additionally, by applying the same 
method described by Kipnis and Shamir, the basic "Oil and Vinegar" scheme may 
be shown to be insecure for any number v of "vinegar" variables which is lower 
than the number n of "oil" variables. 

The inventors of the present invention have found, as described in 

io Appendix I, that if the "Oil and Vinegar" scheme is made unbalanced by 
modifying the "Oil and Vinegar" scheme so that the number v of "vinegar" 
variables is greater than the number n of "oil" variables, a resulting unbalanced 
"Oil and Vinegar" (UOV) scheme may be secure. 

Specifically, for a UOV of degree 2 and for all values of p other 

15 than 2, where p is a characteristic of the field K, p being the additive order of 1, 
the UOV scheme is considered secure for values of v which satisfy the inequality 
q <v-nM* n 4 > 2 4o For a UQV of degree 2 and for p=2, the number v of "vinegar" 
variables may be selected so as to satisfy the inequalities v<n 2 and q (v " nH * n 4 >2 40 . 
It is appreciated that for values of v which are higher than n 2 /2 but less than or 

20 equal to n 2 , the UOV is also considered secure, and solving the set SI is 
considered to be as difficult as solving a random set of k equations. For values of 
v which are higher than n", the UOV is believed to be insecure. 

Furthermore, for a UOV of degree 3 and for p = 2, the UOV 
scheme is considered secure for values of v which are substantially greater than 

25 n*(l + sqrt(3)) and lower than or equal to n 3 /6. It is appreciated that for values of 
v which are higher than n 3 /6 but lower than or equal to n 3 /2, the UOV is also 
considered secure, and solving the set SI is considered to be as difficult as 
solving a random set of k equations. For values of v which are higher than n 3 /2, 
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and for values of v which are lower than n*(l + sqrt(3)), the UOV is believed to 
be insecure. 

Additionally, for a UOV of degree 3 and for p other than 2, the 
UOV scheme is considered secure for values of v which are substantially greater 
5 than n and lower than or equal to n 4 . It is appreciated that for values of v which 
are higher than n 3 /6 but lower than or equal to n 4 , the UOV is also considered 
secure, and solving the set S 1 is considered to be as difficult as solving a random 
set of k equations. For values of v which are higher than n 4 , and for values of v 
which are lower than n, the UOV is believed to be insecure. 

10 Preferably, in a case that the set S2 includes the set f(a) of k 

polynomial functions of the HFEV scheme, the set S2 may include an expression 
which includes k functions that are derived from a univariate polynomial. 
Preferably, the univariate polynomial may include a polynomial of degree less 
than or equal to 100,000 on an extension field of degree n over K. 

15 Example of parameters selected for the UOV and the HFEV 

schemes are shown in Appendix I. 

It is appreciated that various features of the invention which are, for 
clarity, described in the contexts of separate embodiments may also be provided 
in combination in a single embodiment. Conversely, various features of the 

20 invention which are, for brevity, described in the context of a single embodiment 
may also be provided separately or in any suitable subcombination. 

It will be appreciated by persons skilled in the art that the present 
invention is not limited by what has been particularly shown and described 
hereinabove. Rather the scope of the invention is defined only by the claims 

25 which follow. 
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Abstract 

In [9], J. Patarin designed a new scheme, called a oil and vinegar", for computing asymmetric 
signatures. It is very simple, can be computed very fast (both in secret and public key) and requires 
very little RAM in smartcard implementations. The idea consists in hiding quadratic equations in n 
unknowns called M oiT and v = n unknowns called "vinegar" over a finite field K, with linear secret 
functions. This original scheme was broken in [5] by A. Kipnis and A. Shamir. In this paper, we 
study some very simple variations of the original scheme where v > n (instead ofv = n). These 
schemes are called "Unbalanced Oil and Vinegar" (UOV) , since we have more "vinegar" unknowns 
than "oil" unknowns. We show that, when v ~ rc, the attack of [5] can be extended, but when 
v >2n for example, the security of the scheme is still an open problem. Moreover, when v ~ \ t the 
security of the scheme is exactly equivalent (if we accept a very natural but not proved property) to 
the problem of solving a random set of n quadratic equations in ^- unknowns (with no trapdoor). 
However, we show that when u > n 2 , finding a solution is generally easy. In this paper, we also 
present some practical values of the parameters, for which no attacks are known. The length of 
the signatures can be as short as 192 bits. We also study schemes with public keys of degree three 
instead of two. We show that no significant advantages exist at the present to recommend schemes 
of degree three instead of two. 



1 Introduction 

Since 1985, various authors (see [2], [4], [7], [8], [9], [10], [11] for example) have suggested some public 
key schemes where the public key is given as a set of multivariate quadratic (or higher degree) equations 
over a small finite field K. 

The general problem of solving such a set of equations is NP-hard (cf [3]) (even in the quadratic case). 
Moreover, when the number of unknowns is, say, n > 16, the best known algorithms are often not 
significantly better than exhaustive search (when n is very. small, Grobner bases algorithms might.be 
efficient). 

The schemes are often very efficient in terms of speed or RAM required in a smartcard implementation 
(however, the length of the public key is generally > 1 Kbyte). The most serious problem is that, in 
order to introduce a trapdoor (to allow the computation of signatures or to allow the decryption of 
messages when a secret is known), the generated set of public equations generally becomes a small 
subset of all the possible equations and, in many cases, the algorithms have been broken. For example 
[2] was broken by their authors, and [7] and [9] were broken. However, many schemes are still not 
broken (for example [8], [10], [11]), and also in many cases, some very simple variations have been 
suggested in order to repair the schemes. Therefore, at the present, we do not know whether this idea 
of designing public key algorithms with multivariate polynomials over finite fields is a very powerful 
idea (where only some too simple schemes are insecure) or not. 
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.In this paper, we present what may be the most simple example: the original Oil and Vinegar signature 
scheme (of [9]) was broken (see [5]), but if we have significantly more "vinegar 1 unknowns than "oil" 
unknowns (a definition of the "oil" and "vinegar" unknowns can be found in section 2), then the attack 
of [5] does not work and the security of this more general^ scheme is still an open problem. 
Moreover, we show that, when we have approximately ^ vinegar unknowns for n oil unknowns, the 
security of the scheme is exactly equivalent (if we accept a natural but not proved property) to the 
problem of solving a random set of n quadratic equations in ^ unknowns (with no trapdoor). This is 
a nice result, since it suggests that some partial proof of security (related to some simple to describe 
and supposed very difficult to solve problems) might be found for some schemes with multivariate 
polynomials over a finite field. However, we show that most of the systems of n quadratic equations 
in n 2 (or more) variables can be solved in polynomial complexity... We also study Oil and Vinegar 
schemes of degree three (instead of two). 

2 The (Original and Unbalanced) Oil and Vinegar of degree two 

Let K = F, be a small finite field (for example K = F 2 ). Let n and v be two integers. The message 
to be signed (or its hash) is represented as an element of K n , denoted by y = (t/i, ...,y n ). Typically, 
q n _ 2 i23. The signature x is represented as an element of K n + V denoted by x = (a*, « M vJ- 

Secret key 

The secret key is made of two parts: 

1 A. bijective and affine function s : -f K n+V . By «affine», we mean that each eompownt of 

The output can be written as a polynomial of degree one in the „ + v input unknowns, and with 

coefficients in K. 
2. A set (5) of n equations of the following type: 

~ ■ j. \ { ;/ a.re the secret coefficients of these n equations. The 

that these equations (<S) contain no terms in 04a,-. 
Public key 

Let A be the element of defined by A = a a^A is transformed into . = . (A), 

where s is the secret, bijective and affine function from K to K . unkno wns, 
Each value y { , 1 < : < n, can be written as a polynomial P; of total degree two m *, 
1 < j < n + v. We denote by (T) the set of these n equations:- 

Vi, 1 < i < n, yi = P. (sit -1 x n+v) 

These » quadratic equations {V) (in the n + v unknowns *,-) are the public key. 

Computation of a signature (with the secret key) 
The computation of a signature x of y is performed as follows: 
Step l: We iind « unknowns « lt of * and , unknowns ^ .... < of K such that the „ equations 

(5) are satisfied. nmn .. tp 
This can be done as follows: we randomly choose the , vinegar unknowns ^and ^en w~ e 
the a.- unknowns from (5) by Gaussian reductions (because - since there are no «, a, term 
(5) equations are affine in the a; unknowns when the a, are nxed. 
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Remark: If we find no solution, then we simply try again with new random vinegar unknowns. 
After very few tries, the probability of obtaining at [east one solution is very high, because 
the probability for a n X n matrix over F g to be invertible is not negligible. (It is exactly 
(1 - ^r=r)- For q = 2, this gives approximately 30 %, and for q > 2, this 

probability is even larger.) 

Step 2: We compute x = s~ l (A), where A = (ax, .., a n , a' v aQ. x is a signature of y. 
Public verification of a signature 

A signature x of y is valid if and only if all the (V) are satisfied. As a result, no secret is needed to 
check whether a signature is valid: this is an asymmetric signature scheme. 

Note: The name "Oil and Vinegar" comes from the fact that - in the equations (S) - the "oil 
unknowns" <n and the "vinegar unknowns 17 a'j are not all mixed together: there are no a,-^ products. 
However in (V), this prooerty is hidden by the "mixing" of the unknowns by the s transformation. Is 
this propertv "hidden enough" ? In fact, this question exactly means: "is the scheme secure ?". When 
v = n we call the scheme "Original Oil and Vinegar", since this case was first presented m [9]. This 
case was broken in [5]. It is very easy to see that the cryptanalysis of [5]. also works, exactly m the 
same way when v < n. However, the cases v > n are much more difficult. When v > n, we call the 
scheme "Unbalanced Oil and Vinegar". The analysis of such schemes is the topic of this paper. 

3 A short description of the attack of [5]: cryptanalysis of the case 
v = n 

The idea of the attack of [5] is essentially the Mowing: 

fn order to separate the oil variables and the vinegar variables, we look at the quadratic forms of he 
n public equations of (V), we omit for a while the linear terms. Let G ; for 1 < , < « be the respective 
matrix of the quadratic form of P { of the public equations (7?). 

The quadratic part of the equations in the set (S) is represented as a quadratic form with a corre- 

^ • r*i. - I 0 A I the unt>er left n x n zero submatrix is due to the 

sponding 2n x 2n matrix of the form • [ B q J' PP 

fact that an oil variable is not multiplied by an oil variable. ma .tri ce s 
After hiding the internal variables with the linear function we get a representation for the matrices 

q. _ 5 ( 0 ^ ] S*, where 5 is an invertible 2n x 2n matrix. 
1 ^ Bi Ci J 

Definition 3.1: We define the oil subspace to be the linear subspace of all vectors in whose 
second half contains only zeros. 

Definition 3.2: We define the vinegar subspace as the linear subspace of all vectors in K 2n whose 

first half contains only zeros. 

Lemma 1 Let E and Fbea2nx2n matrices with an upper left zero n X » suhmatrix. IfF is invertible 
then the oil subspace is an invariant subspace of EF . 

Pr oof: E and F map the oil subspace into the vinegar subspace. If F* ^™*<^^^ 
between the oil subspace and the vinegar subspace is one to one and onto ^^Z^^ent 
that v = n). Therefore F~ l maps back the vinegar subspace into the oil subspace 
explains why the oil subspace is transformed into itself by EF . 

Definition 3.4: For an invertible matrix G jt define Gij = G;GJ l . 
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Definition 3.5: Let O be the image of the oil subspace by 5~ L . 
In order to find the oil subspace, we use the following theorem: 

Theorem 3.1 O is a common invariant subspace of all the matrices G:j. 
Proof: 




The two inner matrices have the form of E and F in lemma 1. Therefore, the oil subspace is an invariant 
subspace of the inner term and O is an invariant subspace of G{Gj l . 

The oroblem of finding common invariant subspace of set of matrices is studied in [5]. Applying the 
algorithms in [5] gives us O. We then pick V to be an arbitrary subspace of dimension n such that 
V -r 0 = A" 2n , and they give an equivalent oil and vinegar separation. 

Once we have such a separation we bring back the linear terms that were omitted, we pick random 
values for the vinegar variables and left with a set of n linear equations with n oil variables* 

Note: Lemma 1 is not true any more when v > n. The oil subspace is still mapped by E and F into 
the vinegar subspace. However F" 1 does not necessary maps the image by E of the oil subspace back 
into the oil subspace and this is why the cryptanalysis of the original oil and vinegar is not valid for 
the unbalanced case. 

This corresponds to the fact that, if the submatrix of zeros in the top left corner of F is smaller than 
nxn, then F' 1 does not have (in general) a submatrix of zeros in the bottom right corner. For example: 




However, when v - n is small, we see in the next section how to extend the attack. 

4 Cryptanalysis when v > n and v ~ n 

In this section, we discuss the ca^e of Oil and Vinegar schemes where v > n, although a direct application 
of the attack described in [5] and in the previous section does not solve the problem, a modification or 
the attack exists, that is applicable as long as t; - n is small. 

Definition 4.1: We define in this section the oil subspace to be the linear subspace of all vectors in 
K n +" whose last v coordinates are only zeros. 

Definition 4.2: We define in this section the vinegar subspace to be the linear subspace of all vectors 
in K 71 ^ whose first n coordinates are only zeros. 

Here in this section, we start with the homogeneous quadratic terms of the equations: we omit the 

linear terms for a while. 

The matrices G: have the representation 

where the upper Left matrix is the n x n zero matrix, A; is a n x v matrix, 5; is a v X n matrix, d is 
a v x v matrix and 5 is a (n + v) x (n -f- v) invertible linear matrix. 
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Definition 4.3: Define E{ to be 

Lemma 2 For any matrix E that has the form ^ ^ ^^J , the following holds: 

a) E transforms the oil subspace into the vinegar subspace. 

b) If the matrix E' 1 exists, then the image of the vinegar subspace by E~ l is a subspace of dimension 
v which contains the n-dimensional oil subspace in it 

Proof: a) follows directly from the definition of the oil and vinegar subspaces. When a) is given 
then b) is immediate. 

The algorithm we propose is a probabilistic algorithm. It looks for an invariant subspace of the oil 
subspace after it is transformed by 5. -The probability for the algorithm to succeed on the first try is 
small. Therefore we need to repeat it with different inputs. We use the following property: any linear 

combination of the matrices E\ t ... t E n is also of the form ^ ^ ^ ) * 

The following theorem explains why an invariant subspace may exist with a certain probability. 

Theorem 4.1 Let F be an invertible linear combination of the matrices Ei, E n . Then for any k 
such that E^ 1 exists, the matrix FE£ l has a non trivial invariant subspace which is also a subspace of 
the oil subspace, with probability not less than for d— v — n. 

Proof; The matrix F maps the oil subspace into the vinegar subspace, the image by F of the oil 
subspace is mapped by E£ l into a subspace of dimension v that contains the oil subspace - these are 
due to lemma 1. We write v = n+ d, where d is a small integer. The oil subspace and its image by 
FE7 1 are two subspaces with dimension n that reside in a subspace of dimension n + cL Therefore, 
their intersection is a subspace of the oil subspace with dimension not less than n - dJ We denote the 
oil subspace by I Q and the intersection subspace by J L . Now, we take the inverse images by FE k ^ of 
I x : this is a subspace of / 0 (the oil subspace) with dimension not less than n - d and the intersection 
between this subspace and h is a subspace of I L with dimension not less than n - 2d. We call this 
subspace I 2 . We can continue this process and define h to be the intersection of h- X and its inverse 
image by F£*-L These two subspaces have co-dimension not more than d in 7<r- 2 . Therefore, It has 
a ^dimension not more than 2d in I M or a co-dimension not more than d in I M . We can carry on 
this process as long as we are sure that the inverse image by FE£ l of J< has a non trivial intersection 
with Io This is ensured as long as the dimension of I € is greater than d, but when the dimension^ d 
or less than d, there is no guaranty that these two subspaces - that reside in J^i - have a non trivial 
intersection. We end the process with h that has dimension < d that resides in with dimension 

not more than 2d. g-i 
We know that the transformation (EG* 1 )' 1 maps h into 1^ With probability not less than jj^j, 
there is a non zero vector in h that is mapped to a non zero mutiple of itself - and thereiore there is a 
non trivial subspace of FE k -l which is also a subspace of the oil subspace. 

Note: It is possible to get a better result for the expected number of eigenvectors and with much 
less effort . Ix is a su bspace with dimension not less than n - d and is mapped by F E^ into a subspace 
with dimension n. The probability for a non zero vector to be mapped to a non zero multiple or itselt 
is JirL. To get the expected value, we multiply it by the number of non zero vectors in A- It gives 
a valul which is not less than ^C*^ • Since every eigenvector is counted q - 1 times, then the 
expected number of invariant subspcaes of dimension 1 is not less than y^ 1 - ~ J" • 
We define O as in section 3 and we get the following result for 0: 

Theorem 4 2 Let F be an invertible linear combination of the matrices Gi; G n - Then for any * 
such that G7 1 exists, the matrix FG^ has a non trivial invariant subspace, which is also a subspace 
ofO with probability not less than 4^ for d-v - n. 



Proof: 
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The inner term is an invariant subspace of the oil subspace with the required probability. Therefore, 
the same will hold for FGl~ l , but instead of a subspace of the oil subspace, we get a subspace of O. 

How to find O ? 

We take a random linear combination of Gu G n and multiply it by an inverse of one of the Gk 
matrices. Then we calculate all the minimal invariant subspaces of this matrix (a minimal invariant 
subspace of a matrix A contains no non trivial invariant subspaces of the matrix A - these subspaces 
corresponds to irreducible factors of the characteristic polynomial of A). This can be done in proba- 
bilistic polynomial time using standard linear algebra techniques. This matrix may have an invariant 
subspace wich is a subspace of O. 

The following lemma enables us to distinguish between subspaces that are contained in O and random 
subspaces. 

Lemma 3 If S is a linear subspace and H C 0, then for every z, y in E and every i } G;{x, y) = 0 
(here me regard Gi as a bilinear form) . 

Proof: There are x f and y 7 in the oil subspace such that x r = zS" 1 and y 1 = yS~ l . 

«(„,)- *s(°, £)sy=c*'s-')s(°. : £)(fc's-w=*'(° a £)v>'-o. 

The last term is zero because x' and' y' are in the oil subspace. 

This lemma *ives a polynomial test to distinguish between subspaces of O and random subspaces. 
If the matrix we used has no minimal subspace which is also a subspace of O, then we pick another 
linear combination of G x , G n , multiply it by an inverse of one of the G k matrices and try again. 
After repeating this process approximately q~ d ^ times, we find with good probability at least one zero 
vector of O. We continue the process until we get n independent vectors of 0. These vectors span O . 
The expected complexity of the process is proportional to q~^n\ We use here the expected number 
of tries until we find a non trivial invariant subspace and the term n 4 covers the computational linear 
algebra operations we need to perform for evey try. 

5 The cases v a \ (or v > \) 
Property 

Let I A) be a random set of n quadratic equations in (n + v) variables x u .... r n+w ._ (By "random" we 
mean that the coefficients of these equations are uniformly and randomly chosen). When v * T land 
more generally when v > £), there is probably - for most of such (A) - a linear change of vanables 
( Xl , r^ tf ) h+ (x[, xUJ such that the set W of M e <* ua£ions ^ tt&rL in ( x i< x "*«> B ^ U 
and Vinegar" system (i.e. there are no terms in x\ • x' : - with t < n and j<n). 

An argument to justify the property 

" Xi = Ql,ix'i + + — + ^Ln+v^ri+w 

By writing that the coefficient in all the n equations of (.4) of all the x\ ■ x) (i < n and j < n) is zero, 
we obtain a svstem of n • n • ^ quadratic equations in the (n H- v) • n variables (1 < * < n -r 
1 < j < n). Therefore, when v > approximately £ , we may expect to have a solution for this sys,am 
of equations for most of (A). 
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Remarks: 

1. This argument is very natural, but this is not a complete mathematical proof. 

2. The system may have a solution, but finding the solution might be a difficult problem. This is 
why an Unbalanced Oil and Vinegar scheme might be secure (for well chosen parameters): there 
is always a linear change of variables that makes the problem easy to solve, but finding such a 
change of variables might be difficult. 

3. In section 1 7 we will see that, despite the result of this seccion, ic is not recommended to choose 
v > n 2 . 

6 Solving a set of n quadratic equations in k unknowns, k > n 7 is 
NP-hard 

We present in section 7 an algorithm that solves in polynomiai complexity more than 99% of the sets 
of n quadratic equations in n 2 (or more) variables (i.e. it will probably succeed in more than 99% of 
the cases when the coefficients are randomly chosen). 

Roughly speaking, we can summarize this result by saying that solving a "random" set of n quadratic 
equations in n 2 (or more) variables is feasible in polynomial complexity (and thus is not NP-hard if 
p -l ^vp). However, we see in the present section that the problem of solving any (i.e. 100%) set of n 
quadratic equations in k > n variables (so for example in k = n 2 variables) is NP-hard ! 
To see this, let us assume that we have a black box that takes any set of n quadratic equations with k 
variables in input, and that gives one solution when at least one solution exists. Then we^can use this 
black box to find a solution for any set of n quadratic equations in n variables (and this is NP-hard). 
We proceed (for example) as follows. Let {A) be a set of (n - 1) quadratic equations with (n - 1) 
variables s u x 2f *n-i- Then let y lt y a be a more variables. 

Let (B) be the set of (A) equations plus one quadratic equation in y u V* (for example the equation: 
( w + „. ju y a )2 = i). Then (B) is a set of exactly n quadratic equations in (n -J- 1 + as) variables. It is 
clear that from the solution of (5) we will immediately find one solution for (A). 

Note 1- (S) has a very special shape ! This is why there is a polynomial algorithm for 99% of the 
■equations without contradicting the fact that solving these sets (5) of equations is a NP-hard problem. 

Note 2* For IB) we can also add more than one quadratic equations in the y { variables and we can 
linearly mix these equations with the equations of {A). In this case, (5) is still of very special form 
but this very special form is less obvious at first glance since all the variables x { and yj are in all tne 
equations of (B). 

7 A generally efficient algorithm for solving a random set of n quadratic 
equations in n 2 (or more) unknowns 

' In this section, we describe an algorithm that solves a system of n randomly chosen quadratic equations 

in n -r v variables, when v > n - . 
Let (S) be the following system 



£ <Hj\XiXj J r E b: -i x < + *x = 0 

E dijnZiZj -T E -f $n = 0 



The main idea of the algorithm consists in using a change of variables such as: 

Zl = OL iti yi + Cl^iyi -f — 4" Zn.lVn + <*n+l f l 5/n+l + •*• + ^n^lUn^v 
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whose otij coefficients (for 1 < i < n, 1 < j < n + v) are found step by step, in order that the resulting 
33/steci (6") (written with respect to these new variables y 1: y n -rv) is ea sy to solve. 

» We begin by choosing randomly o^i, cti in ± v . 

• We then compute a^i, ^2 T n+v such that (<S') contains no terms. This condition leads to 
a system of a linear equations on the (n -f v) unknowns &2J (1 < J < + 1;): 

&ijk&\,iOi2.j = 0 (1 < £ < n). 

• We then compute a^^, o;3 |7l 4-v such that (<S') contains neither y^yz terms, nor yaSta terms. This 
condition is equivalent to the following system of In linear equations on the (n + v) unknowns 
.<*3j (1 < 3 < n + v): 

£ OijkCtijotzj = 0 (1 < fc < n) 

2 a,j*<*wa&j =0 (1 < A < n) 

l<t<i<n+v 



Finally, we compute a n ,i, such that (S f ) contains neither y x y n terms, nor y 2 y n terms, 

nor ffn-iyn terms. This condition gives the following system of (n - l)n iinear equations on 
the (n 4- t/) unknowns cc n j (1 < J < n t- v): ■ 



I<:*<7<n+v 

^ i<-*<i< n + v • 



(1 < k < n) 
(1 <,Jfc < n) 



rn -enerai all these linear equations provide at least one solution (found by Gaussian reductions). In 
particular," the last system of n(rt - 1) equations and (n + v) unknowns generally gives a solution, as 
soon as n + v > n(n - 1) , i.e. v > u(n - 2), which is true by hypothesis. 

Moreover, the n vectors f T J . - ( T J are very likely to be linearly independent for a 

random quadratic system («S). . ^ - \ „ ^j^Kr 

The remaining ay constants (i.e. those with » + 1 < i < » + * and 1 < , < n + 1) are randomly 
chosen, so as to obtain a bijective change of variables. . 
By rewriting the system (J) with respect to these new variables y it we are led to the following system. 



t fay* + yxiu(iM-x, •••> + - + w.Am(2fa+i. ?»+») + Ox(yn+i, y»+«) - 0 

{=1 

£=1 



where each lij is an affine function and each Qi is a quadratic function. 
We then compute y n+1) such, that: 

Vi, 1 < i < n, Vj, 1 < j < n +v t I;j(y n ^i, .-mSM-v) = 0. 

This is possible because we have to solve a system of equations and v unknowns, which generally 
provides at least one solution, as long as t; > nr. 
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It remains to solve the following system of n equations on the n unknowns y x , — . Vn- 



(S") 



( n 

VBl 



«=1 



where X k = -$*(sfc+i, -.yn-f-v) (1 < * < n). 

In general, this gives the yf by Gaussian reduction. 



8 A variation with twice smaller signatures 

In the UOV described in section 2, the public key is a set of n quadratic equations y: = Pi(x L , x n+w ), 
for 1 < i < n, where y = (yi, y«) is the hash value of the message to be signed. If we use a collision- 
free hash function, the hash value must at least be 123 bits long. Therefore, q n must be at least 2 123 , 
so that the tvpical length of the signature, if v = 2n, is at least 3 x 123 = 384 bits. 
4s we ae- now, it is possible to make a small variation in the signature design in order to obtain twice 
smaller signatures. The idea is to keep the same polynomial Pi (with the same associated secret key), 
but now the public equations that we check are: 

Vi, P ; (xi, + Li(yi, .-, y n , x L , x n+v ) = 0, 

where L { is a linear function""* (*i x n+v ) and where the coefficients of L { are generated by a hash 

function in (yi, ....yn)- . s _ tr.'.ur... 

For example Lfa, y«, *i, = ^ s ^^"+^^', , 2r ? V * ™£ bT> 2* fa 

V IK) Now n can be chosen such that q» > 2<* instead <f > 2^ 8 ) (Note: ^ must be £ 2 in 
o'rderio avoid exhaustive search on a solution «) . If v = 2n and g» * 2« the length of the sxgnature 
will be 3 X 64 = 192 bits. 

9 Oil and Vinegar of degree tnree 
9.1 Trie scheme 

The quadratic Oil and Vinegar schemes described in section 2 can easily be extended to any higher 
degree. We now present the schemes in degree three. 

^uf ^oe a small finite field (for example K = F 2 ). Let . lf .... m be « element, of K, called the 
«oil» unknowns. Let o£, .... < be v elements of K, called the 'Vinegar" unknowns. 

Secret key. 

The secret key is made of two parts: 

1. A bijective and affine fraction s : K 71 ^ -+ K"*". 

2. A set (5) of n equations of the following type: 

The coefficients 7 ,„ ^, A,., ^ and * are the secret eo***^ n equation. 

Note that these equations (<S) contain no terms m o^, or in cya*. the equations 
the ay unknowns when the unknowns are fixed. 
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Public key 



Public key 

Let A be the element of K 71 *" defined by A = (a t , a*, a[ , <) . .4 is transformed into x = s (A), 
where 5 is the secret, bijective and affine function from K nJrV to K n + V . Each value y it 1 < i < n, can 
be written as a polynomial P; of total degree three in the xj unknowns, 1 < j < n + v. We denote by 
(P) the set of the following n equations: 

Vi, 1 < t < n, y. ; = P(r!, x n + v ) (P). 
These n equations (7?) are the pubhc key. 

Computation of a signature 
Let y be the message to be signed (or its hash value). 

Step 1- We randomly choose the v vinegar unknowns a' u and then we compute the a,- unknowns from {$) 
' bv Gaussian reductions (because - since there are no a,-ay terms - the (<S) equations are affine in 
the m unknowns when the a\ are fixed. (If we find no solution for this affine system of n equations 
and n "oil" unknowns, we just try again with new random "vinegar" unknowns.) 

Step 2: We compute x = s~ l {A), where A = o», <)■ * * a signature of y. 

Public verification of a signature 
A signature * of y is valid if and only if all the (V) are satisfied. 

9.2 First cryptanalysis of Oil and Vinegar of degree three when v < n 

We can look at the quadratic part of the public key and attack it exactly as for an Oil and Vinegar of 
degree two. This is expected to work when v < n. 

Note- If there is no quadratic part (i.e. is the public key is homogeneous of degree three) or if this 
attack does not work, then it is always possible to apply a random affine. change of variables and to try 
MoZl, we will see in section 9.3 that, surprisingly, there is an even easier and more efficient 
attack in degree three than in degree two ! 

9.3 Crvptanalysis of OiLand Vinegar of degree three when v |(1 + V3)n and K is 
of characteristic # 2 (from an idea of D. Coppersmith, cf 

The key idea is to detect a "linearity" in some directions. We search the set V of the values d - 
(d r , ...,<*„+,) such that: 

Vs, Vi, L < i < n, Pi(z + d) + P;(r - d) = 2Pi(x) (#)• 
By writing that each x k indeterminate has- a zero coefficient, we obtain «•(» + *) quadratic equations 

in the (n 4- v) unknowns dj. ,j\,t i-Mxt - de) - 2x;x k x L , i-e- 

(Each monomial x^x k gives (*; + <£;) (* fc + d k ) (*« + <fc) + («/ - dj) («* - d k ) {*i **) , 

2{x;dkd e - J rX! e djdi- l rX i djd k ).) iU //, nf d since the vectorial 

Furthermore, the cryptanalyst can specify about » - 1 of the ^-^^^ Rations in (* + l) 
space of the correct is of dimension ». It remains thus to solve „.(» 4- v) quadratic equ ^ 
unknowns d,. When „ is not too large (Really when ^ < «(»+»). ^ wheH " * (1 + ^ } ' 
^^^7Z<o^ (1 + V3)n and is odd, this gives a simple way to break the 
scheme. 

Not. i= wn« . I. ««-« «h« d + VS)« (tw * * r^T/i mit *" Wiat " 

had in the quadratic case), we do not know at the present how to break the scheme. 
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Note 2: Strangely enough, this cryptanalysis of degre three Oil and Vinegar schemes does not work 
on degree two Oil and Vinegar schemes. The reason is that - in degree two - writing 

Vx, Vi, 1 < i < n, P;(x + d) + P;(x - <f) = 2P;(x) 

only gives n equations of degree two on the (n -f v) dj unknowns (that we do not know how to solve). 
(Each monomial ZjZ± gives [xj + dj){x- K + 4) + - cf,-)(:r* - d k ) - 2rjCjfe, i.e. 2djd k ) 

Note 3: In degree two, we have seen that Unbalanced Oil and Vinegar public keys are expected 
to cover almost all the set; of n quadratic equations when v ~ In degree three, we have a similar 
property: the public keys are expected to cover almost all the set of n cubic equations when v ^ ^ 
(the proof is similar). 



10 Public key length 

It is always feasible to make some easy transformations on a public key in order to obtain the public key 
in a canonical way such that this canonical expression is slightly shorter than the original expression. 

First, it is always possible to publish only the homogeneous part of the quadratic equations (and not 
the linear part), because if we know the secret affine change of variables, then we can solve P(x) = y m 
an Oil and Vinegar scheme, we can also solve P{x) + L{x) = y, where L is any linear expression with 
the same affine change of variables. It is thus possible to publish only the homogeneous part P and to 
choose a convention for computing the linear part L of the public key (instead of publishing L). For 
example, this convention can be that the linear terms of L in the equation number i (1 < i < n) are 
computed from E*sh{i\\Id) (or from Hash(ii|P)), where Hash is a public hash function and where Id 
is the identity of the owner of the secret key. 
On the equations, it is also possible to: 

1. Make linear and bijective changes of variable x f - A(x). 

2. Compute a linear and bijective transformation on the equation: V f = t^P). (For example, the 
new first equation can be the old first plus the old third equation, etc). 

By combining easily these two transformations, it is always possible to decrease slightly the lenght of 
the public key. 

Idea 1: It is possible to make a change of variables such that the first equation is in a canonical 
form (see [6], chapter 6). With this presentation of the public key, the length of the public key will be 
approximately ~ times the initial length. 

Idea 2: Another idea is to use the idea of section 7, i.e. to create a square of A x A zeros in the 
coefficients, where A ~ V / ^M- With this presentation, the lenght of the public key is approximately 
( n +„)2-fa+ v ) tkaes the initial lengtIl . 

Remark: As we will see in section 12, the most efficient way of reducing the length of the public 
key is to choose carefully the values q and n. 



11 Summary of the results 

The underlying field is K = F 7 with q = p m . Its characteristic is p. 

«4s difficult as random" means that the problem of breaking the scheme is expected to be as ditocuit 
as the problem of solving a system of equations in v variables when the coefficients are randomly chosen 

(i.e. with no trapdoor). 
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Degree 


Broken 


Not Broken 


Not: broken and as 
difficult as random 


Broken (despite as 
difficult as random) 


2 (for all p) v < n | n < u < ^ 


r± < u<n 2 


v > n 


3 (for p = 2) 


t/< (l + v^n (l + ^/3)n <v < *f 


£ < * < £ 


> si 
- * 


3 (for p == 2) | v < n n<v<^ 




v>n* 



In this table, we have summarized our current results on the attacks on Unbalanced Oil and Vinegar 
schemes. The original paper ([5]) was only studying the case v = n for quadratic equations. 

12 Concrete examples of parameters 

In all the examples below, we do not know how to break the scheme. We have arbitrary chosen v = 2n 
(or v — Zn) in all' these examples (since v < n and v > n 2 axe insecure) . 

Example 1: K = F 2 , n = 128, u = 256 (or v = 384). The signature scheme is the one of section 
2. The length' of the public key is approximately n • bits. This gives here a huge value: 

approximately 1.1 Mbytes (or 2 Mbytes) ! The length of the secret key (the s matrix) is approximately 
( n -l. y)2 bi tSj j_ e _ approximately 18 Kbytes. However, this secret key can always be generated from a 
small secret seed of, say, 64 bits. 

Example 2: K = F 2) » = 64, v = 128 (or v = 192). The signature scheme is the one section 8. The 
length of the public key is 144 Kbytes (or 256 Kbytes). 

Example 3: K = F 16 , n = 15, v = 32 (or v = 48) . 5 is a secret affine bijection of F 16 . The signature 
scheme is the one section 8. The length of the public key is 9 Kbytes (or 16 Kbytes). 

Example 4: K = F 16 , n = 16, u = 32 (or v = 48) . s is a secret affine bijection of F 1S " such that all 
its coefficients lie in F 2 - Moreover, the secret quadratic coefficients are also chosen in F 2l so that the 
public functions P u 1 < t < n, are n quadratic equations in. (n + v) unknowns of F 1S , with coefficients 
in F 2 . In this case (the signature scheme is still the one of section 8), the length of the public key is 
2.2 Kbytes (or 4 Kbytes). 

Note: In ail these examples, n > 16 in order to avoid Grobner bases algorithms to find a solution x, 
and q n > 2 64 in order to avoid exhaustive search on i. 



13 Conclusion 

The original Oil and Vinegar signature algorithm had a very efficient cryptanalysis (cf [5]). Moreover, 
we have seen in this paper that Oil and Vinegar schemes are often not more secure in degree three than 
in decree two. However, surprisingly, some of the very simple variations called "Unbalanced OH ana 
Vinegar" described in this paper have so far resisted all attacks. The scheme is still very simple, very 
fast,°and its parameters can be chosen in order to have a reasonable size for the public key. Its secun y 
is an ooen problem, but it is interesting to notice that - when the number of "vinegar unknowns 
becomes approximately £ (for n "oil unknowns") - then (if we accept a natural property) the sctteme 
is as hard to break as a random set of n quadratic equations in £ unknowns (with no tra P°°° r >- 
This may give hope to obtain more concrete results of security on multivariate polynomial public Ke, 
cryptography. 



References 

[1] D. Coppersmith, personal communication, e-mail. 



26 

[2] H. Fell, W. Diffie, Analysis of a public key approach based on polynomial substitutions, Proceedings 
of CRYPTO'85, Springer- Verlag, vol. 213, pp. 340-349 

[3] M. Garey, D. Johnson, Computers and Intractability a Guide to the Theory of NP-Completeness, 
Freeman, p. 251. 

[4] H. Imai, T. Marsumoto, Algebraic Methods for Constructing Asymmetric Cryptosystems, Alge- 
braic Algorithms and Error Correcting Codes (AAECC-3), Grenoble, 1985, Springer- Verlag, LNCS 
n°229. 

[5] A. Kipnis, A. Shamir, Cryptanalysis of the Oil and Vinegar Signature Scheme, Proceedings of 
CRYPTO J 98, Springer, LNCS n°1462, pp. 257-266. 

[6] R. LidI, H. Niederreiter, Finite Fields, Encyclopedia of Mathematics and its applications, volume 
20, Cambridge University Press. 

[7] T. Matsumoto, H. ImaL Public Quadratic Polynomial-tuples for efficient signature-verification and 
message-encryption, Proceedings of EUROCRYPT'88, Springer- Verlag, pp. 419-453. 

[8] J. Patarin, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP) : Two New 
Families of Asymmetric Algorithms, Proceedings of EUROCRYPT96, Springer, pp. 33-43. 

[9] J. Patarin, The Oil and Vinegar Signature Scheme, presented at the Dagstuhi Workshop on Cryp- 
tography, September 1997 (transparencies). 

[10] J. Patarin, L. Goubin, Trapdoor One-way Permutations and Multivariate Polynomials, Proceed- 
ings of ICICS'97, Springer, LNCS n°1334, pp. 356-368. 

[11] J. Patarin, L. Goubin, Asymmetric Cryptography with S-Boxes, Proceedings of ICICS ? 97, Springer, 
LNCS a°1334, pp. 369-380. 



What is claimed is: 



CLAIMS 



1 . A digital signature cryptographic method comprising: 

supplying a set SI of k polynomial functions as a public -key, the set 
SI including the functions Pi(x b ...,x n+V , yi,...,y k ),.--, P k (xi,...,x n+V , yi,...,y k ), 
where k, v, and n are integers, Xi,...,x n+V are n+v variables of a first type, y b ...,y k 
are k variables of a second type, and the set SI is obtained by applying a secret 
key operation on a set S2 of k polynomial functions 
P' 1 (a 1 ,...,a n+v ,y,,...,y k ),...,P' k (a 1 ,...,a n+v ,y I ,...,y k ) where a,,...,a n+v are n+v variables 
which include a set of n "oil" variables a!,...,a n , and a set of v "vinegar" variables 

providing a message to be signed; 

applying a hash function on the message to produce a series of k 
values b],...,b k ; 

substituting the series of k values b l5 ...,b k for the variables yi,...,y k 
of the set S2 respectively to produce a set S3 of k polynomial functions 
P" 1 (ai,...,a n+V ),..., P" k (ai,...,a n+V ); 

selecting v values a' n+ ,,...,a' n+v for the v "vinegar" variables 

solving a set of equations P"i(a 1 ,...,a n ,a , n+ i,...,a' n+v )=0,..., 
P" k (a 1 ,...,a n ,a' n+ i,.»,a' n+ v)=0 to obtain a solution for a'i,...,a'„; and 

applying the secret key operation to transform a'i,...,a' n+v to a 
digital signature ei,...,e 

2. A method according to claim 1 and also comprising the step of 
verifying the digital signature. 
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3. A method according to claim 2 and wherein said verifying step 

comprises the steps of: 

obtaining the signature e I ,...,e n+v , the message, the hash function 

and the public key; 

applying the hash function on the message to produce the series of 

k values bi,...,b k ; and 

verifying that the equations P I (ei,...,e n+v ,bi,...,b k )=0,..., 

P k (e,,...,e n+V , b!,...,b k )=0 are satisfied. 

4. a method according to claim 1 and wherein the set S2 comprises 
the set f(a) of k polynomial functions of the HFEV scheme. 

5 a method according to claim 1 and wherein the set S2 comprises 

the set S of k polynomial functions of the UOV scheme. 

6. A method according to claim 1 and wherein said supplying step 

comprises the step of selecting the number v of "vinegar" variables to be greater 
than the number n of "oil" variables. 

7 a method according to claim 1 and wherein v is selected such that 

q v is greater than 2 32 , where q is the number of elements of a finite field K. 

8. a method according to claim 1 and wherein said supplying step 

comprises the step of obtaining the set SI from a subset S2' of k polynomial 
functions of the set S2, the subset S2* being characterized by that all coefficients 
of components involving any of the y b ...,y k variables in the k polynomial 
functions P' 1 (a 1 ,...,a n+v ,y l ,...,y k ),...,P' k (ai,...,a fl+v ,y 1 ,...,y k ) are zero, and the 
number v of "vinegar" variables is greater than the number n of "oil" variables. 
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9. A method according to claim 8 and wherein the set S2 comprises 
the set S of k polynomial functions of the UOV scheme, and the number v of 
"vinegar" variables is selected so as to satisfy one of the following conditions: 

(a) for each characteristic p other than 2 of a field K in an "Oil and 
5 Vinegar" scheme of degree 2, v satisfies the inequality q (v ~ n)_i * n 4 > 

2 40 , 

(b) for p = 2 in an "Oil and Vinegar" scheme of degree 3, v is 
greater than n*(l + sqrt(3)) and lower than or equal to n 3 /6, and 

(c) for each p other than 2 in an "Oil and Vinegar" scheme of 
10 degree 3, v is greater than n and lower than or equal to n 4 . 

10. A method according to claim 8 and wherein the set S2 comprises 
the set S of k polynomial functions of the UOV scheme, and the number v of 
"vinegar" variables is selected so as to satisfy the inequalities v<n 2 and q (v ~ nH * n 4 

15 >2 40 for a characteristic p=2 of a field K in an "Oil and Vinegar" scheme of 
degree 2. 

11. A method according to claim 1 and wherein said secret key 
operation comprises a secret affine transformation s on the n+v variables 

20 ai,...,a n+v - 

12. A method according to claim 4 and wherein said set S2 comprises 
an expression including k functions that are derived from a univariate 
polynomial. 

25 

13. A method according to claim 12 and wherein said univariate 
polynomial includes a univariate polynomial of degree less than or equal to 
100,000. 



29 



14. A cryptographic method for verifying the digital signature of claim 

1, the method comprising: 

obtaining the signature ei,...,e n+v , the message, the hash function 
and the public key; 

5 applying the hash function on the message to produce the series of 

k values b],...,b k ; and 

verifying that the equations Pi(ei,...,e n+v ,bi,... 3 b k )=0,..., 
P k (e!,...,e n+V , b b ...,b k )=0 are satisfied. 

10 15. In an "Oil and Vinegar" signature method, an improvement 

comprising the step of using more "vinegar" variables than "oil" variables. 

16. A method according to claim 15 and wherein the number v of 

"vinegar" variables is selected so as to satisfy one of the following conditions: 
15 (a) for each characteristic p other than 2 of a field K and for a 

degree 2 of the "Oil and Vinegar" signature method, v satisfies the 

(v-n)-U 4 ^ ~40 

inequality q' * n > 2 , 

(b) for p = 2 and for a degree 3 of the "Oil and Vinegar" signature 
method, v is greater than n*(l + sqrt(3)) and lower than or equal to 

20 n 3 /6, and 

(c) for each p other than 2 and for a degree 3 of the "Oil and 
Vinegar" signature method, v is greater than n and lower than or 
equal to n 4 

25 
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17. A method according to claim 15 and wherein the set S2 comprises 

the set S of k polynomial functions of the UOV scheme, and the number v of 
"vinegar" variables is selected so as to satisfy the inequalities v<or and q fv - n)_1 * n 4 
>2 40 for a characteristic p=2 of a field K in an "Oil and Vinegar' scheme of 
5 degree 2. 
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ABSTRACT 



The invention provides for a cryptographic method for digital 

signature. 

5 A set SI of k polynomial functions P k (x l5 ...,x n+V , yi,...,y k ) are 

supplied as a public key, where k, v, and n are integers, X],...,x n+V are n+v 
variables of a first type, and yi,...,y k are k variables of a second type, the set SI 
being obtained by applying a secret key operation on a given set S2 of k 
polynomial functions P' k (ai,...,a n+V ,y l5 ...,y k ), a l; ...,a n+v designating n+v variables 

10 including a set of n "oil" and v "vinegar" variables. 

A message to be signed is provided and submitted to a hash 
function to produce a series of k values bi,...,b k . These k values are substituted 
for the k variables yi,...,y k of the set S2 to produce a set S3 of k polynomial 
functions P"i c (a ! ,...,a n+V ) 5 and v values a' n+I ,...,a' n+v are selected for the v 

15 "vinegar" variables. A set of equations P" k (ai,...,a' n+v )=0 is solved to obtain a 
solution for a'i,...,a' n and the secret key operation is applied to transform the 
solution to the digital signature. 
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FIG. 2A 



A GENERATOR OF A PUBLIC-KEY SUPPLIES A SET 
SI OF k POLYNOMIAL FUNCTIONS AS A 
PUBLIC-KEY, WHERE THE SET SI INCLUDES 
THE FUNCTIONS 

Pi(x,,...,x n+V , y,,...,y k ),..., P k (xi,...,x n+V , yi,...,y k ). WITH 
k, v, AND n BEING INTEGERS, x,,...,x n+v BEING n+v 
VARIABLES OF A FIRST TYPE, AND y,,. . .,y k BEING k 
VARIABLES OF A SECOND TYPE, AND THE SET S 1 
BEING OBTAINED BY APPLYING A SECRET KEY 
OPERATION ON A SET S2 OF k POLYNOMIAL 
FUNCTIONS 

P',(a 1 ,...,a n+v ,yi,...,y k ),...,P' k (a 1 ,...,a n+v ,y l ,...,y k ) WITH 
a,,...,a n+v BEING n+v VARIABLES WHICH INCLUDE A 
SET OF n "OIL" VARIABLES a,,...,a n , AND A SET OF v 
"VINEGAR" VARIABLES a n+ ,,...,a n+v 



A MESSAGE TO BE SIGNED IS PROVIDED 
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A SIGNER OF A DIGITAL SIGNATURE APPLIES 
A HASH FUNCTION ON THE MESSAGE TO 
PRODUCE A SERIES OF k VALUES b b ...,b k 
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THE SIGNER SUBSTITUTES THE SERIES OF k 
VALUES b,,...,b k FOR THE VARIABLES yi,...,y k 
OF THE SET S2 RESPECTIVELY SO AS TO 
PRODUCE A SET S3 OF k POLYNOMIAL 
FUNCTIONS P",(a,,...,a n+V ),..., P" k (a,,...,a n+V ) 



THE SIGNER SELECTS v VALUES a' n+! ,...,a' n+v 
FOR THE v "VINEGAR" VARIABLES a n+1 ,...,a n+ 
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THE SIGNER SOLVES A SET OF EQUATIONS 

P" i(ai,...,a n ,a' n+ i,...,a' n+v )=0,. . ., P" k (a(,...,a n ,a' n+ i,...,a n +v)=0 

TO OBTAIN A SOLUTION FOR a',,...,a , , 1 



THE SIGNER APPLIES THE SECRET KEY 
OPERATION TO TRANSFORM a',,...,a n+v TO 
THE DIGITAL SIGNATURE e,,...,e n+v 
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FIG. 2B 
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1 

A VERIFIER OF A DIGITAL 
SIGNATURE ei,...,e n+v , THE 
FUNCTION AND THE PUBLK 


r / 

SIGNATURE OBTAINS THE 
I MESSAGE, THE HASH 
C KEY 




,205 


THE VERIFIER APPLIES THE HASH FUNCTION ON THE 
MESSAGE TO PRODUCE THE SERIES OF k VALUES 
bi,...,b k 




y 210 


The VERIFIER VERIFIES THE DIGITAL SIGNATURE BY 

VERIFYING THAT THE EQUATIONS 

Pi (e i , . .. ,e n+v ,b i , . . . ,b k )=0, . . . , P k (e , ,. . . ,e n+v , b , , . . . ,b k )=0 

ARE SATISFIED 



Express Mail Label No, EL254110035US 



Atty Docket No. NDS-4600 USA 
COMBINED DECLARATION FOR PATENT APPLICATION AND POWER OF ATTORNEY 

As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my name, 

I believe I am the original, first and sole inventor {if only one name is listed below) or an original, first and 
joint inventor (if plural names are listed below) of the subject matter which is claimed and for which a 
patent is sought on the invention entitled 

PUBLIC-KEY SIGNATURE METHODS AND SYSTEMS 

the specification of which (check one) x is attached hereto or was filed on as Application No. 

and was amended on (if applicable). 

I hereby state that I have reviewed and understand the contents of the above-identified specification, 
including the claims, as amended by any amendment referred to above. 

I acknowledge the duty to disclose all information which is material to patentability as defined in 37 CFR 
§ 1.56. 



I hereby claim foreign priority benefits under 35 U.S.C. § 1 19(a)-(d) or § 365(b) of any foreign 
application(s) for patent or inventor's certificate, or § 365(a) of any PCT International application which 
designated at least one country other than the United States, listed below and have also identified below 
any foreign application for patent or inventor's certificate having a filing date before that of the application 
on which priority is claimed: 

Prior Foreign Application(s) Priority Claimed 

Yes No 

99401048.6 EPC 29 April 1999 x 

Number Country Day/Month/Year Filed 



Number Country Day/Month/Year Filed 



I hereby claim the benefit under 35 U.S.C. § 1 19(e) of any United States provisional application(s) below. 



Application Number Filing Date 



Application Number Filing Date 



I hereby claim the benefit under 35 U.S.C. § 1 20 of any United States application(s), or § 365(c) of any 
PCT International application designating the United States, listed below and, insofar as the subject matter 
of each of the claims of this application is not disclosed in the prior United States application in the manner 
provided by the first paragraph of 35 U.S.C. § 1 12, I acknowledge the duty to disclose all information 
which is material to patentability as defined in 37 CFR § 1.56 which became available between the filing 
date of the prior application and the national or PCT international filing date of this application: 

Application Number Filing Date Status: Patented, Pending, Abandoned 



Application Number 

\PATENTS\COMB-DEC.MRG 



Filing Date 

- 1 - 



Status: Patented, Pending, Abandoned 

Revised: 10/04/99 



I HEREBY APPOINT THE FOLLOWING AS MY ATTORNEYS WITH FULL POWER OF SUBSTITUTION TO 
PROSECUTE THIS APPLICATION AND TRANSACT ALL BUSINESS IN THE PATENT OFFICE CONNECTED 



THEREWITH: 












Karl A. Limbach 


18,689 


Stephen M. Everett 


30,050 


is.yia l. rtarnei 


41 816 


George C. Limbach 


1 9,305 


Alfred A. Equitz 


on qoo 


iviayui i II ivtGidJGi 


40,075 


John K. Uilkema 


20,282 


Charles P. Sammut 


28,901 


IXCFIL «J. 1 (JUM 1 


39,496 


Neil A. Smith 


25,441 


Mark C. Pickering 


36,239 


Michael R. Ward 


38,651 


Veronica C. Devitt 


29,375 


Patricia Coleman James 


37,155 


Roger S. Sampson 


44,314 


Ronald L. Yin 


27,607 


Kathleen A. Frost 


37,326 


Charles L. Hamilton 


42,624 


Gerald T. Sekimura 


30,103 


Alan A. Limbach 


39,749 


Andrew V. Smith 


43,132 


Michael A. Stallman 


29,444 


Douglas C. Limbach 


35,249 


Eric N. Hoover 


37,355 


Philip A. Girard 


28,848 


Seong-Kun Oh* 




J. Thomas McCarthy 


22,420 


Michael J. Pollock 


29,098 


Cameron A. King 


41,897 


Joel G. Ackerman 


24,307 






* Recognition under 37 CFR 10.9(b) 







Send correspondence to Limbach & Limbach L.L.P. 

Attn: Joel G. Ackerman 
2001 Ferry Building 
San Francisco, CA 941 1 1 
Telephone: 415/433-4150 



I hereby declare that all statements made herein of my own knowledge are true and that all statements 
made on information and belief are believed to be true; and further that these statements were made with 
the knowledge that willful false statements and the like so made are punishable by fine or imprisonment or 
both, under 18 U.S.C. § 1001 and that such willful false statements may jeopardize the validity of the 
application or any patent issued thereon. 



Full name of sole or first inventor AVIAD KIPN1S 



Inventor's signature 

Date 

Residence 7 HaPalmach Street, Jerusalem, Israel 92542 

Citizenship Israel 

Post Office Address 7 HaPalmach Street, Jerusalem, Israel 92542 



Full name of second joint inventor, if any, JACQUES PATARIN 

Inventor's signature 

Date 

Residence 1 1 rue Amedee Daillv, Viroflav, France 78220 

Citizenship France _ 

Post Office Address 1 1 rue Amedee Daillv, Viroflav, France 78220 



Full name of third joint inventor, if any, LOUIS GOUBIN 

Inventor's signature _ 

Date 

Residence 3 rue Brown-Sequard, Paris, France 75015 

Citizenship France 

Post Office Address 3 rue Brown-Sequard, Paris, France 75015 



\PATENTS\COMB-DEC.MRG 



- 2 - 



Revised: 10/04/99 



